samba - Mar 2005 - Unable to set ACLs with Samba 3.0.11, near publication deadline

Hello, Jeremy and Jerry,

I met both of you at LinuxWorld in Boston, where I learned tons and tons
of great stuff from your presentations.

I'm writing on deadline for publication and would really, really, really
like to show off Samba's ability to map NT ACLs to POSIX ACLs. But right
now, I can't make them work. I've spent some time on the Samba list
trying to make this work, but haven't received much of a response. I'm
also CC'ing David Sonenberg who has reported the same or a similar problem
in well documented emails to the samba list.

I've made the effort to pull together as much information about
my configuration as possible in the hopes that we can nail down
this bug, or user error, or whatever it turns out to be in time
to write great things about Samba's abilities in this area.

Thank you!

* * *

So, here's the configuration:

* Samba 3.0.11, from the samba.org Fedora Core 3 RPMs
* Fedora Core 3
* ext3 fs mounted with acls on, setfacls and getfacls work great
* winbind in use in nsswitch.conf
* The server is a member of a Windows 2003 Active Directory domain

The share in question looks like this on the server:

[root@ADSambaFP1 samba]# !ls
ls -l /research
total 16
-rw-r--r--  1 AD\marketperson1 10003 33 Feb 21 21:16 research1.txt
-rw-r--r--  1 AD\marketperson1 10003 34 Feb 21 21:16 research2.txt

I can reproduce the problem using the smbcacls tool. There's quite a bit
of debugging information included below.

At the end of this message you will also find:

* The relevant part of "getent passwd"
* The relevant part of "getent group"

If you need any further information or assistance from me to resolve this
please don't hesitate to ask.

Thank you very much!

* * *

[root@ADSambaFP1 samba]# !smbc
smbcacls //localhost/research research1.txt -a
ACL:AD\\marketinggroup:ALLOWED/0/RWX -U AD\\marketperson1
added interface ip=192.168.2.211 bcast=192.168.2.255 nmask=255.255.255.0
Password:
Connecting to host=localhost
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=99)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=adsambafp1$@AD.CORP.COM
Got challenge flags:
Got NTLMSSP neg_flags=0x60890215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
Connecting to host=localhost
Connecting to 127.0.0.1 at port 445
Doing spnego session setup (blob length=99)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=adsambafp1$@AD.CORP.COM
Got challenge flags:
Got NTLMSSP neg_flags=0x60890215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
lsa_io_sec_qos: length c does not match size 8
Failed to parse ACL ACL:AD\marketinggroup

* * *

getent passwd | grep marketperson1
AD\marketperson1:x:10021:10000:Marketperson1:/home/AD/marketperson1:/bin/bash

* * *

getent group | grep marketperson1
AD\marketinggroup:x:10015:AD\marketperson2,AD\marketperson1

--
Thomas Boutell
Boutell.Com, Inc. 
http://www.boutell.com/

I'd be interested in finding out whatever information comes of your query as
well - I think I'm running into the same limitations.

In short, I've added a Samba file sharing server to an existing 
"ActiveDirectory" domain.  It seems to work fine, except that the
Windows
administrator there is complaining about the "chunky" permissions
scheme (he
can't revoke "part of" the write access in the Windows security
tab for the
share - any "write" box checked ends up coming back as "full
access" on
update, I presume because it's just being mapped to the *nix
"write"
permission rather than enforcing the more fine-grained permissions which I 
gathered should have been stored as extended attributes...)

Is the capability to support the Windows permissions model new in 3.0.11 or
later?  

On Monday 07 March 2005 07:04 pm, Thomas Boutell wrote:
> Hello, Jeremy and Jerry,
>
> I met both of you at LinuxWorld in Boston, where I learned tons and tons
> of great stuff from your presentations.
>
> I'm writing on deadline for publication and would really, really,
really
> like to show off Samba's ability to map NT ACLs to POSIX ACLs. But
right
> now, I can't make them work. I've spent some time on the Samba list
> trying to make this work, but haven't received much of a response.
I'm
> also CC'ing David Sonenberg who has reported the same or a similar
problem
> in well documented emails to the samba list.
>
> I've made the effort to pull together as much information about
> my configuration as possible in the hopes that we can nail down
> this bug, or user error, or whatever it turns out to be in time
> to write great things about Samba's abilities in this area.
>
> Thank you!
[...]

Anybody have a roadkill cookbook?

Because I have some crow to eat, and I'm not sure how best
to prepare it. Sigh.

I didn't have writable = yes set on the share. The fact that smbcacls 
didn't work (and still doesn't work!) blinded me to this more obvious
issue. Once I set writable = yes, of course, I was able to change
acls from a true Windows client... which was of course my
actual goal. I'd created my test files in advance on the Linux
side, so the no-write-permissions-at-all issue wasn't obvious at
any other time.

Thanks for the attention you gave to the matter. Next time, if I'm
not able to spot the issue myself, I'll be sure to include my
*entire* smb.conf in the report.

--
Thomas Boutell
Boutell.Com, Inc. 
http://www.boutell.com/